protected function makeConfirmBlock()
{
$role = $this->Registry->Viewer->getRoleId();
$email = $this->Registry->Viewer->email;
if (\strstr($role, 'unactivated')) {
/**
* @todo Translate strings
*/
return \tplConfirmemail::parse(array('email' => $email, 'notConfirmed' => $this->_('not validated'), 'sendLink' => $this->_('send me validation link')));
}
return '';
}
/**
*
* Check if a user has permission
* either on a specific resource
* or on site's permission
*
* This is basically a wrapper for Zend_Acl isAllowed()
* method, but the order of params is different here
* because we tend to most often
* only have the privilege param and $role is
* usually a Viewer and $resource is usually omitted
* because we are checking a site-wide permission
*
* @param string $privilege name of privilege (like 'add_comments')
*
* @param object $role our User Object is fine because it implements Zned_Acl_Role_Interface
*
* @param mixed $resource object or string name of resource
*
* @return mixed object $this if everything is OK
* OR throws exception is access is denied
*
* @throws If permission is denied, then we throw a special
* Exception: Lampcms\AuthException if user is not logged in,
* which would cause the template to present a login form
* on the error page
*
* OR Lampcms\AccessException if user is logged in
* which would mean a user does not have appropriate
* access privileges
*/
public function checkAccessPermission($privilege = null, RoleInterface $role = null, $resource = null)
{
//d('$privilege: '.$privilege.' '.var_export($privilege, true));
if (null === $privilege) {
d('$privilege is null');
if (!isset($this->permission)) {
d('$this->permission not set');
return $this;
}
$privilege = $this->permission;
}
/**
* If $role is not passed here
* then we use the current user ($this->oViewer)
* but we must reload the user details because
* otherwise the data may be somewhat stale - use object
* is stored in session and what if admin has banned
* the user after the user logged in or maybe
* admin demoted the user from moderator to
* normal user or assigned a user to 'spammers' group
* This is why we need the very latest user data,
* so we get the user object (User) from
* session ($this->oViewer usually points to object in session)
* then we call the reload() method which basically replaces that array
* of data with the fresh new array. The fresh new array is still
* taken via cache, so if user data has not changed, then the whole
* reload operation does not require even a single sql select
*
*/
//d('role: '.$role. ' $this->Registry->Viewer: '.$this->Registry->Viewer);
/**
* How not to reload the object?
* The only way is to NOT store Viewer in session at all
* if only storing uid in session then
* initViewer would always get data from USERS collection
* on every visit instead of from SESSION
* Will be easier to maintain, session objects will be smaller
* Can still have custom session handler to store
* location, username, avatar? Not sure yet
* If in initViewer will have something like $_SESSION['username']
* = Viewer->getScrenName().... then yes.
*
* But it would mean lots of calls to viewer object on every
* page load. Is this big deal to make extra 2 calls to already
* inflated object? No!
*
* Problem with this approach is that we will lose
* the class type. For example, if Viewer is TwitterUser
* or FacebookUser, then will will lose this ability to
* differentiate user types. It's just better to
* reload viewer here, it's not all that slow - Mongo
* select is fast!
*
*/
$role = null !== $role ? $role : $this->Registry->Viewer;
$Tr = $this->Registry->Tr;
/**
* oACL can be cached, which saves about 5-7 milliseconds
* on my dev machine. The downside is that if you
* edit acl.ini you must manually remove
* Acl key from cache. (from C_Cache collection)
*/
$oACL = $this->Registry->Acl;
$roleID = $role->getRoleId();
d('$roleID ' . $roleID . ' $privilege: ' . $privilege);
if (!$oACL->isAllowed($role, $resource, $privilege)) {
if (!$this->isLoggedin()) {
/**
* @todo translate string
*/
throw new AuthException($Tr->get('Please Register or Login to perform this action'));
}
if (\strstr($roleID, 'unactivated')) {
if ($role instanceof User && strlen($role->email) > 6) {
/**
* @todo
* Translate string
*/
$email = $role->email;
$err = \tplConfirmemail::parse(array('email' => $email, 'notConfirmed' => $Tr->get('not validated'), 'sendLink' => $Tr->get('send me validation link'))) . '<br>';
} else {
$err = $Tr->get('You have not confirmed email address') . '<br><a href="/settings/">' . $Tr->get('Request activation email') . '</a><br>';
}
throw new UnactivatedException($err);
}
throw new AccessException($Tr->get('Your account does not have permission to perform this action'));
}
return $this;
}
protected function makeConfirmBlock()
{
$role = $this->Registry->Viewer->getRoleId();
$email = $this->Registry->Viewer->email;
if (\strstr($role, 'unactivated')) {
return \tplConfirmemail::parse(array('email' => $email), false);
}
return '';
}
